Case l:18-cv-03127 Document 1-3 Filed 12/28/18 Page 1 of 9 


Exhibit C 



Case l:18-cv-03127 Document 1-3 Filed 12/28/18 Page 2 of 9 


*0 Micronite 


Shipping & Logistics Division 


White Paper 

Exposing the Flaws in PC Postage 


November 2017 


©2017 Micronite Inc. All rights reserved. 

Micronite, the Micronite logo, and Barcode Inspector are trademarks of Micronite Inc. 


Case l:18-cv-03127 Document 1-3 Filed 12/28/18 . Page,-? of 9 D „ D . 

Exposing tne Flaws in PC Postage 


Introduction 

On March 31, 1998, the United States Postal Service (USPS) approved a new technology called 
Electronic Postage which allowed anyone to purchase and print postage using a personal 
computer and an internet connection. It was developed by E-Stamp, a startup company in Palo 
Alto, California. The digital stamp, referred to as Information-Based Indicia (IBI), appeared on 
envelopes and labels as human-readable text coupled with a two-dimensional barcode containing 
data to identify the user and the mail piece as well as a cryptographic signature. This technology 
became known as PC Postage. 

The first generation of PC Postage systems were intended for small offices and home office 
businesses. They could only be used for a few domestic mail classes. International Mail and 
Special Services such as insurance and Certified Mail were not supported. 

As the number of ecommerce Web sites grew and online shopping became more prevalent, the 
USPS started adding more shipping services to better compete with its rival carriers in the 
private sector. A new Special Service called Delivery Confirmation was launched in 1999 
followed by the debut of Signature Confirmation in 2001. The Postal Accountability and 
Enhancement Act of 2006 (PAEA) allowed the USPS greater flexibility in crafting Negotiated 
Service Agreements (NSA) for high-volume shippers. In 2009, the USPS published the 
specifications for the Intelligent Mail Package Barcode (IMpb) to enhance its package tracking 
capabilities. 

Over the years, the three authorized PC Postage providers, namely Stamps.com, Endicia and 
Pitney Bowes, have been updating their software to keep up with the technological and 
operational changes occurring at the USPS. Nevertheless, the restrictions and limitations behind 
the original design of Electronic Postage have remained the same giving rise to numerous flaws. 

The objective of this white paper is to examine the flaws in PC Postage and demonstrate how 
they adversely impact the businesses which use PC Postage solutions for shipping, their 
customers and the United States Postal Service. 

Confidential Business Information Is Not Protected 

“Confidential business information” is generally defined as information belonging to an entity 
that is not publicly available, that has an economic value to the entity or its competitors because 
it is private and its disclosure would result in a material financial loss to the entity or a material 
financial gain to its competitors. 

Imagine if popular accounting software printed a company’s bank account details on the face of 
every check. What if the current account balance, total funds disbursed and total checks issued 
from that account can be readily viewed by the recipient of the check? 

That is essentially what is happening every time any PC Postage software generates a shipping 
label. The PC Postage barcode on the label is encoded with one or more key pieces of shipper’s 
account information such as: 

Ascending Register: Total value of all postage imprints generated by the PC Postage account. 
Descending Register: Current balance of the PC Postage account. 
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Piece Count: Total number of postage imprints generated by the PC Postage account. 

Postage: Cost of postage and fees for the shipping label paid to the USPS. 

The shipper may deem any or all of the above data to be its confidential business information. 
However, none of this data is protected, either through encryption or by any other means, leaving 
it visible to anyone who chooses to decode the PC Postage barcode. 

Let’s look at a nationally known ecommerce retailer which uses a PC Postage solution for its 
shipping. We will employ Micronite’s Barcode Inspector software to decode the PC Postage 
barcode in two shipping labels, one from 2015 and another from 2017. 



US POSTAGE AND FEES PAID 

AUG 31 2015 Mailed from ZIP 94040 

3 oz First — Class Package Rale 

Commercial Bate Price 


071V00622607 



USPS FRST-CLASS PKG 

Shipping Dep artment 

SSSS^^H R041 0020 

Novato, CA 94949 


Roseville, CA 95747-5962 


USPS TRACKING # 



9400 1108 9861 1004 9665 86 



US POSTAGE AND FEES PAID 

AUG 9 2017 Mailed from ZIP 94949 

4 02 First-Class Pkg Svc 
Commercial Base Price 



071V00622607 


USPS FIRST-CLASS PKG 


Novato. CA 94940-6085 


Roseville, CA 95747-5962 


|R04T] 0020 


USPS TRACKING# 




9400 1108 9861 1043 6873 74 


hlJ Barcode Inspector”" 
File Edit Help 


□ 


X 


Barcode Layout: | US PS PC Postage IBI, Endicia, L104 

3 


Reid Name 

Value 

1 

Indicia Version Number 

3 


Algorithm ID 

1 


Certificate Serial Number 

•317372 


PSD Manufacturer ID 

07 


PSD Model ID 

IV 


PSD Serial Number 

0000622607 


Ascending Register 

.512,403,333.31 


Postage 

52.04 


Mailing Date 

2013-03-31 


Registration ZIP Code 

MM3 


Tracking Number 

4966536 


Descending Register 

55,130.14 


Piece Count 

5,534,390 



53 91 E4 4B 90 AB 02 D2 SB CD CO M AD 4C B3 15 4B EE 

V 


Scanner... image... Data... 

Inspector Mode: 

Decode v 

Ready 

Bytes: 104 Scans: 2 

Scanner 




Barcode Inspector^ 1 

File Edit Help 

' 

X 

Barcode Laryout: USPS PC Postage IBI, Endicia. L104 


V 



Reid Name 

Value 


Indicia Version Number 

3 


Algorithm ID 

1 


Certificate Serial Number 

317372 


PSD Manufacturer ID 

07 


PSD Model ID 

IV 


PSD Serial Number 

0000022007 


Ascending Register 

524.017,093.93 


Postage 

52.01 


Mailing Date 

2017-0369 


Registration ZIP Code 

MM3 


Tracking Number 

43037374 


Descending Register 

54.970,44 


Piece Count 

9,403,407 



77 EA D3 39 D3 B2 OC 37 BO 73 OF E3 5F 31 3A 39 B9 43 72 


Scanner.. 


Image.. 


Data.. 


Inspector Mode : Decode 


Ready 


Bytes: 104 Scans: 1 Scanner 
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By calculating the changes in the Ascending Register and Piece Count values shown in the 
Barcode Inspector results, a competitor attempting to gain insight into this company’s sales trend 
can reasonably estimate that it has shipped 3,873,417 orders from August 31, 2015 through 
August 9, 2017 while spending $11,608,760.17 in postage at an average cost of $2.99 per order. 

Customer Data Is Neither Private Nor Secure 

Customers are one of the most valuable assets of any business. Disclosure of the customer list 
and any related data can jeopardize the success of the business and could even threaten its very 
existence. 

Therefore, when using any software to print shipping labels, it is important to know who gets 
access to the shipment details which include the customer’s name, address, contact and order 
information. 

In the case of PC Postage software, the answer depends on the type of PC Postage account being 
used: Standard or Shared. 

A Standard PC Postage account is owned and managed by the shipper for its exclusive use. 

A Shared PC Postage account does not belong to the shipper. Instead, it is owned by the PC 
Postage provider or one of its business partners such as a multi-carrier software vendor, a 
postage reseller, a marketplace operator or an e-commerce platform provider. 

When a PC Postage solution routes the shipping label request to the PC Postage provider through 
a Shared account, then one or more of its business partners, unbeknownst to the shipper, may 
also gain visibility to every shipment transaction along the way, thereby potentially 
compromising the privacy and security of the customer data. 

One of the major drawbacks of PC Postage technology is that all shipment transaction data is 
ultimately stored on the servers of the PC Postage provider. This holds true for Standard as well 
as Shared accounts. In the event of a data breach, either intentional or unintentional, the customer 
list of a business can fall into the hands of unscrupulous third-parties including its competitors. 

Micronite has found a glaring instance of such a data breach: One of the partners of the United 
States Postal Service in the PC Postage industry continues to expose detailed shipment data 
possibly for millions of transactions belonging to tens of thousands of shippers nationwide. As a 
precautionary measure, this white paper will not publish the specifics of the data breach. 

NSA Pricing Can Be Easily Discovered By Anyone 

A Negotiated Service Agreement (NSA) is a contract between a company and the USPS which 
provides for customized pricing and may include changes to postal requirements to meet the 
unique business needs of the company. NSAs are usually meant for high-volume shippers and 
postage resellers. 

As each NSA contract document is submitted to the Postal Regulatory Commission for review 
and approval, it is thoroughly redacted before publication to keep any pricing information secret. 
The USPS also prohibits the NSA customer from displaying the postage amount on any part of 
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the shipping label. According to its latest Annual Compliance Report , the USPS claims that such 
measures are necessary to prevent other customers from using “the information to their 
advantage in negotiating the terms of their own agreements with the Postal Service." The USPS 
further argues that public disclosure of commercially sensitive data, including pricing, would 
allow its competitors in the transportation and delivery space to extend better pricing incentives to 
postal customers. 

Notwithstanding the above, if a company chooses a PC Postage solution to print shipping labels 
with NS A pricing, then anyone can easily discover the negotiated price even though the postage 
is hidden. As shown earlier, that is because the PC Postage barcode contains the amount of 
postage paid to the USPS in addition to other confidential business information. 

To illustrate, we will use the Barcode Inspector to explore the NSA pricing of two customers of 
the USPS: Poshmark and Parcel Partners. 

Poshmark is an online marketplace for trading fashion merchandise. In 2014, Poshmark signed a 
deal with the USPS to allow its sellers to ship any Priority Mail package weighing up to five 
pounds anywhere in the United States for a flat fee. 

The results of decoding the PC Postage barcode on a Poshmark shipping label reveals that the 
negotiated price for a 5 pound Priority Mail package going to Zone 4 is $6.33. That price 
represents a discount of $5.62, or 47%, from the rate published in USPS Notice 123 - Price List . 



■f? Barcode Inspector’' 4 

- 

X 

File Edit Help 




Barcode Layout: 

USPS PC Postage IBI. Endicia. L1Q4 


3 






Field Name 


Value 


A 



Indicia Version Number 

0 




Algorithm ID 

1 




Certificate Serial Number 

817372 




PSD Manufacturer ID 

07 




PSD Model ID 

IS 




PSD Serial Number 

0000810518 




Ascending Register 

S144.307.857.03 




Postage 

$6.33 




Mailing Date 

2017-01-22 




Registration ZIP Code 

45370 




Tracking Number 

213157534 




Descending Register 

S18.190.10 




Piece Count 

21.440.029 





F8 36 8F 68 44 98 C8 12 EC 85 FD 51 76CF 88 55 E6 34CC 

V 








Scanner... 

Image... 

Data... Inspector Mode: 

Decode 

3 

Ready 


Bytes: 104 Scans: 1 

Scanner 



An astute competitor of either Poshmark or USPS can generate and decode Priority Mail 
shipping labels for the remaining seven zones and get a complete picture of the NSA discounts 
Poshmark gets from the USPS. 

Following the above methodology, we can also learn about the special discounts the USPS offers 
to Parcel Partners, one of the nation’s largest postage resellers. It primarily utilizes the PC 
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Postage platform to reach its customers. 

EasyPost, a newly authorized PC Postage provider, works with Parcel Partners to share a portion 
of the discounted postage with its end users. An EasyPost shipping label found on the internet 
gives some insight into the deep discounts Parcel Partners is receiving through its NS A program 
with the USPS. From the Barcode Inspector result below, a 3 pound, Zone 4 Priority Mail 
package is showing a postage price of $5.69, about 44% below the published USPS rate. 


P 


US POSTAGE AND FEES PAID GdSypOSt 


REPLY 
90278 
CID 1408 
ComPIsPrice 
3.0 LB ZONE 


0901000000071 


USPS PRIORITY MAIL 


0012 


REDONDO BEACH CA 90278-4711 


C003 


UNION CITY CA 94587-2097 


USPS TRACKING# 



9405 5368 9784 6165 9172 67 


■P Barcode Inspector’' 1 
File Edit Help 


Barcode Layout: USPS PC Postage IBI. EasyPost 


X 


1 Field Name 

Value 

Incfida Version 

118 

Provider ID 

09 

Model ID 

01 

PSD Serial Number 

000000071 

Postage 

$5.69 

Mailing Date 

2017-04-07 

Weight. Ounces 

0.2 

Weight. Pounds 

2 

IMpb Service Type Code 

055 

Origin ZIP Code 

90278-4711 

Mailer ID 

897846 

Tracking Serial Number 

16591726 

Destination Delivery Point 

94587209700 

1_1 







Scanner... 

image... 

Data... 

Inspector Mode: 

Decode v 


Ready 


Bytes: 119 Scans: 1 Scanner 


Once again, it would be an easy task to print and decode shipping labels for the weight and zone 
combinations applicable to Priority Mail as well as for other domestic and international mail 
products covered by the NSAs belonging to not only Parcel Partners, but also to other postage 
resellers. 

USPS Does Not Verify The Accuracy Of PC Postage Software 

One of the most important features of any shipping software is to help the ecommerce seller 
choose the best way to send a package from point A to point B. Therefore, the calculated cost 
must be accurate to ensure that the shipper or its customer is not overcharged for the requested 
service. 

The PC Postage providers are responsible for implementing their own shipping rate calculation 
functionality based on the rate charts and rules published by the USPS and keeping up with them 
as they change from time to time. However, based on numerous complaints on internet seller 
forums and social media outlets, it appears that the USPS does not verify the results of those rate 
calculations. 

A notable incident at one of the PC Postage providers after a major USPS price change caused 
many of its customers to pay the full retail rate for Priority Mail parcels instead of the lower 
Commercial Base or Commercial Plus price. In another instance, after a routine software update, 
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PC Postage customers were getting charged the much higher Zone 9 rates for Priority Mail 
instead of the lower Zone 8 rates. 

Neither the PC Postage provider nor the USPS has a policy of automatically auditing every 
shipment transaction, identifying any postage variance and crediting the price difference to the 
affected PC Postage accounts. 

To make matters worse, the burden falls upon the shipper to detect such miscalculations and 
request a refund for the overpriced shipping labels within a limited time frame, usually ten days. 

PC Postage Accounts Must Be Pre-Funded 

PC Postage technology was initially designed as a software-based alternative to the hardware- 
based postage meters. Consequently, they share a few common characteristics. One of them is a 
USPS requirement that every account must be pre-funded. That is, a PC Postage account must 
contain sufficient funds in order to purchase the requested postage amount. Furthermore, any 
balance remaining in the account cannot be withdrawn until the account is closed. 

Although the pre-funding model seemed reasonable during the early days when customers used 
PC Postage software primarily for mailing items which had no tracking, for example, postcards 
and letters, the rise of the online economy presented a new challenge. 

Most merchants who sell their goods online typically do not know in advance how many orders 
are going to be placed on a given day and which shipping option each customer will choose. 
When using a PC Postage solution to fulfill and ship orders as they arrive, the merchant must 
estimate the total funds they will need to deposit into their PC Postage account to cover the 
shipping costs. If the estimate is high, the funds cannot be withdrawn which ties up valuable 
financial resources, especially for small businesses who can put the money towards buying more 
inventory or for something else. 

Shipping Label Refund Procedure Is Very Cumbersome 

Many things can go wrong while printing shipping labels in a fast-paced environment. Printers 
tend to jam, servers unexpectedly crash, orders get canceled, mistakes happen. Depending upon 
the specific scenario, the result is labels that misprinted or did not print at all and have to be 
reprinted or labels that printed but cannot be used. 

A shipper who is left holding unused PC Postage shipping labels must follow a cumbersome 
refund procedure. This involves manually applying for a refund for each and every label and then 
waiting as long as three weeks or more for both the PC Postage provider and the USPS to 
process and approve the refund request. For certain types of shipments, the shipper must fill out a 
paper form and mail the unused labels as physical proof to the PC Postage provider in order to be 
eligible for a refund. 

Due to USPS regulations, all PC Postage providers limit the time frame within which the refund 
request must be initiated. As a result, a busy ecommerce seller may miss the deadline and the 
postage paid for the unused labels can be lost forever. 

Finally, on numerous occasions, the computer servers of the PC Postage providers have 
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experienced outages causing thousands of shippers to find themselves with no shipping labels 
but their accounts debited for the postage. Even in this situation, when the fault clearly lies with 
the PC Postage provider, there is no provision for an automatic and immediate refund policy and 
the shipper is ultimately responsible for requesting and waiting for the refund. 

Conclusion 

Although PC Postage may be a convenient technology for those who want to avoid long lines at 
the Post Office, ecommerce merchants should be aware of the flaws in PC Postage software 
which can restrict their growth potential and compromise the privacy and security of their 
business data. 

The United States Postal Service offers alternative shipping technologies which do not suffer 
from the limitations and restrictions of PC Postage. Two of them are Electronic Verification 
System and ePostage. 

To learn more, call us at 916-781-6700 or visit the Web page below: 
http://www.micronite.com/en-us/solutions/shippingandlogistics 
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